Be aware! Malicious individuals are using email to pose as Vanderbilt leaders in an attempt to steal our personal information and attack our institution.

In recent weeks, we have had many instances of a type of email attack called “spear-phishing” all across Vanderbilt. This tactic is a ramped-up version of “phishing,” which is something most of us have gotten used to and have learned to protect ourselves from. Remember that phishing is a type of malicious activity where attackers trick a user into giving up credentials such as a password or valuable data. These attacks can occur via the phone or email, and often involve placing a tempting and plausible link in an email, hoping the victim will click it.

Spear-phishing is a more sophisticated variation where the attacker pretends to be a specific individual who is trusted and legitimate and, often, in a leadership position. Lately, we have seen numerous instances where the perpetrators have pretended to be Vanderbilt leaders such as our Chancellor and Provost. In these cases, and no doubt in others involving additional Vanderbilt leaders, part of the tactic has been to utilize a plausible-sounding email ID, masquerading as a personal ID. (Imagine chancellornickzeppos@gmail.com.) VUIT continues to block as many examples of obvious malfeasance as possible from making it to our inboxes, but the bad actors continue to get more sophisticated and confront us with a moving target.

Therefore, it is important for all of us to use the following tips to protect ourselves and Vanderbilt:

Remember that our leaders will use their official “@vanderbilt.edu” email addresses to do important Vanderbilt business.

Always check the sender’s e-mail address closely and make sure you recognize it.

Never click links in unfamiliar emails.

If there is any doubt, contact the sender or their staff using the telephone or instant messaging.

Avoid opening attachments unless you have verified the sender.

Be especially wary of unexpected communications that ask you to sign-in, provide credentials, or provide other sensitive information.

Be alert to the fact that malicious parties often try to instill a sense of high urgency or close familiarity to catch you off-guard.